CVE-2021-41265
Published on: 12/09/2021 12:00:00 AM UTC
Last Modified on: 12/15/2021 02:40:00 PM UTC
Certain versions of Flask-appbuilder from Flask-appbuilder Project contain the following vulnerability:
Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. This only affects non database authentication types and new REST API endpoints. Users should upgrade to Flask-AppBuilder 3.3.4 to receive a patch.
- CVE-2021-41265 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
- Affected Vendor/Software:
dpgaspar - Flask-AppBuilder version < 3.3.4
CVSS3 Score: 8.8 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | LOW | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | HIGH | HIGH | HIGH |
CVSS2 Score: 6.5 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | SINGLE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | PARTIAL | PARTIAL |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
chore: improve schema validation (#1712) · dpgaspar/[email protected] · GitHub | github.com text/html |
![]() |
Improper Authentication in Flask-AppBuilder · Advisory · dpgaspar/Flask-AppBuilder · GitHub | github.com text/html |
![]() |
Release 3.3.4 · dpgaspar/Flask-AppBuilder · GitHub | github.com text/html |
![]() |
Related QID Numbers
- 984150 Python (pip) Security Update for Flask-AppBuilder (GHSA-m3rf-7m4w-r66q)
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Flask-appbuilder Project | Flask-appbuilder | All | All | All | All |
- cpe:2.3:a:flask-appbuilder_project:flask-appbuilder:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
CVE-2021-41265 : Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain… twitter.com/i/web/status/1… | 2021-12-09 16:45:19 |
![]() |
Potentially Critical CVE Detected! CVE-2021-41265 Description: Flask-AppBuilder is a development framework built on… twitter.com/i/web/status/1… | 2021-12-09 17:56:27 |
![]() |
CVE-2021-41265 | 2021-12-09 18:38:41 |